[nrf fromtree] Bluetooth: Mesh: Verify if Remote confirmation is not

...identical

MESH/PVNR/PROV/BI-18-C verifies that the IUT rejects invalid
Confirmation Value.

Signed-off-by: Michał Narajowski <[email protected]>
(cherry picked from commit 88b60f3)
Signed-off-by: Trond Einar Snekvik <[email protected]>

Author: Michał Narajowski

subsys/bluetooth/mesh/prov.h

@@ -118,7 +118,7 @@ struct bt_mesh_prov_link {
 	uint8_t dhkey[BT_DH_KEY_LEN];   /* Calculated DHKey */
 	uint8_t expect;                 /* Next expected PDU */
 
-	uint8_t conf[16];               /* Remote Confirmation */
+	uint8_t conf[16];               /* Local/Remote Confirmation */
 	uint8_t rand[16];               /* Local Random */
 
 	uint8_t conf_salt[16];          /* ConfirmationSalt */

subsys/bluetooth/mesh/provisioner.c

@@ -297,12 +297,14 @@ static void send_confirm(void)
 
 	if (bt_mesh_prov_conf(bt_mesh_prov_link.conf_key,
 			      bt_mesh_prov_link.rand, bt_mesh_prov_link.auth,
-			      net_buf_simple_add(&cfm, 16))) {
+			      bt_mesh_prov_link.conf)) {
 		BT_ERR("Unable to generate confirmation value");
 		prov_fail(PROV_ERR_UNEXP_ERR);
 		return;
 	}
 
+	net_buf_simple_add_mem(&cfm, bt_mesh_prov_link.conf, 16);
+
 	if (bt_mesh_prov_send(&cfm, NULL)) {
 		BT_ERR("Failed to send Provisioning Confirm");
 		return;
@@ -610,6 +612,12 @@ static void prov_confirm(const uint8_t *data)
 {
 	BT_DBG("Remote Confirm: %s", bt_hex(data, 16));
 
+	if (!memcmp(data, bt_mesh_prov_link.conf, 16)) {
+		BT_ERR("Confirm value is identical to ours, rejecting.");
+		prov_fail(PROV_ERR_CFM_FAILED);
+		return;
+	}
+
 	memcpy(bt_mesh_prov_link.conf, data, 16);
 
 	send_random();